Wednesday, September 12, 2012

SmartTV, Smartphones and Fill-in-the-Blank Employees

Right off the bat, I know the title sounds like it’s all connected but they are only slightly related so I’ll give you the option of dropping out now. Still here? Cool. I’ve been traveling over the last couple weeks and stories catch my eye along the way that I probably would’ve written about but didn’t. Until now. Besides it’s always fun to roll up a few stories in one to get back on track.

TV’s are becoming cutting edge multimedia devices that reside on your living room wall. You can stream movies, browse the web, check weather, plug in USBs for slideshows/video, play games, home network along with simply catching the latest episode of your favorite program. This article from usatoday.com talks about many of the internet enabled TVs and their capabilities. For instance, some TVs are now including dual-core processors to make web browsing more enjoyable since many TVs don’t have the processing power to load web pages quickly, or at least what we’re used to on our computers. Also coming out are TVs with screen resolutions four times greater than full HD screens – these are the 4K sets. These new 4K sets apparently has dampened any lingering 3D enthusiasm, which seems waning anyway. In addition to TVs, other appliances are getting smart, so they say. There are new refrigerators, air conditioners, washers, and dryers which are all app-controlled. Users can turn them on and off from anywhere. I know there are mobile ‘apps’ but it would be a easy transition to start calling our appliances, apps also. Close enough. How’s the clothes cleaning app working? Is the food cooling app running? I’ve mentioned many times that while all this is very cool stuff, we still need to remember that these devices are connected to the internet and subject to the same threats as all our other connected devices. It’s only a matter of time when a hacker takes down all the ‘smart’ refrigerators on the East Coast. I also think that TVs, cars and any other connected device could be considered BYOD in the near future. Why wouldn’t a mobile employee want secure VDI access from his car’s Ent/GPS display? Why couldn’t someone check their corporate email from the TV during commercials?

To Educate or Not Educate. I have no idea why I only saw this recently but back in July, there was a lively discussion about whether security awareness training for employees was money well spent. I’ve often written about the importance of ongoing training. In Why you shouldn't train employees for security awareness, Dave Aitel argues that even with all that training, employees still click malicious links anyway. Instead of wasting money on employee training, organizations should bolster up their system’s defenses to protect employees from themselves. Boris Sverdlik of Jaded Security posted a rebuttal saying that employees are and should be accountable for what happens in the environment and no amount of controls can protect against people spilling secrets during a social engineering probe. In a rebuttal to both, Iftach Ian Amit, from Security Art says they are both right and wrong at the same time. He states, ‘Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed.’ His position is that when it comes to ‘Information Security,’ we focus too much on the ‘information’ part and less on the holistic meaning of ‘security.’ His suggestion is to look at your organization as an attacker would and invest in areas that are vulnerable. That’s your basic risk analysis and risk mitigation.